lxc: Add OpenSSH support for Busybox containers

Add command line parameter to create Busybox containers
with OpenSSH support. As a prerequisite, OpenSSH needs
to be installed on the host system.

Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>

3 files changed, 297 insertions, 0 deletions

diff --git a/recipes-containers/lxc/files/lxc-busybox-add-OpenSSH-support.patch b/recipes-containers/lxc/files/lxc-busybox-add-OpenSSH-support.patch
new file mode 100644
index 00000000..f2f332cb
--- /dev/null
+++ b/recipes-containers/lxc/files/lxc-busybox-add-OpenSSH-support.patch
@@ -0,0 +1,246 @@
+From ed52814c776963efdcc9dcda1ec26fc09930ef93 Mon Sep 17 00:00:00 2001
+From: Bogdan Purcareata <bogdan.purcareata@freescale.com>
+Date: Wed, 22 Apr 2015 14:53:32 +0000
+Subject: [PATCH] lxc-busybox: add OpenSSH support
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Add an additional template parameter for SSH support in the container. Currently
+this can be implemented using the Dropbear or OpenSSH utility. The respective
+tool needs to be available on the host Linux.
+
+If the parameter is omitted, the template will look for the Dropbear utility on
+the host and install it if it is available (legacy behavior).
+
+Adding OpenSSH support has been done following the model in the lxc-sshd
+template.
+
+Upstream-status: Accepted
+[https://github.com/lxc/lxc/commit/ed52814c776963efdcc9dcda1ec26fc09930ef93]
+
+Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
+Acked-by: Stéphane Graber <stgraber@ubuntu.com>
+---
+ templates/lxc-busybox.in | 169 ++++++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 139 insertions(+), 30 deletions(-)
+
+diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
+index 7e05bd6..95961a3 100644
+--- a/templates/lxc-busybox.in
++++ b/templates/lxc-busybox.in
+@@ -22,6 +22,7 @@
+ 
+ LXC_MAPPED_UID=
+ LXC_MAPPED_GID=
++SSH=
+ 
+ # Make sure the usual locations are in PATH
+ export PATH=$PATH:/usr/sbin:/usr/bin:/sbin:/bin
+@@ -160,6 +161,116 @@ EOF
+     return $res
+ }
+ 
++install_dropbear()
++{
++    # copy dropbear binary
++    cp $(which dropbear) $rootfs/usr/sbin
++    if [ $? -ne 0 ]; then
++        echo "Failed to copy dropbear in the rootfs"
++        return 1
++    fi
++
++    # make symlinks to various ssh utilities
++    utils="\
++        $rootfs/usr/bin/dbclient \
++        $rootfs/usr/bin/scp \
++        $rootfs/usr/bin/ssh \
++        $rootfs/usr/sbin/dropbearkey \
++        $rootfs/usr/sbin/dropbearconvert \
++    "
++    echo $utils | xargs -n1 ln -s /usr/sbin/dropbear
++
++    # add necessary config files
++    mkdir $rootfs/etc/dropbear
++    dropbearkey -t rsa -f $rootfs/etc/dropbear/dropbear_rsa_host_key > /dev/null 2>&1
++    dropbearkey -t dss -f $rootfs/etc/dropbear/dropbear_dss_host_key > /dev/null 2>&1
++
++    echo "'dropbear' ssh utility installed"
++
++    return 0
++}
++
++install_openssh()
++{
++    # tools to be installed
++    server_utils="sshd"
++    client_utils="\
++        ssh \
++        scp \
++        sftp \
++        ssh-add \
++        ssh-agent \
++        ssh-keygen \
++        ssh-keyscan \
++        ssh-argv0 \
++        ssh-copy-id \
++        "
++
++    # new folders used by ssh
++    ssh_tree="\
++$rootfs/etc/ssh \
++$rootfs/var/empty/sshd \
++$rootfs/var/lib/empty/sshd \
++$rootfs/var/run/sshd \
++"
++
++    # create folder structure
++    mkdir -p $ssh_tree
++    if [ $? -ne 0 ]; then
++        return 1
++    fi
++
++    # copy binaries
++    for bin in $server_utils $client_utils; do
++        tool_path=`which $bin`
++        cp $tool_path $rootfs/$tool_path
++        if [ $? -ne 0 ]; then
++            echo "Unable to copy $tool_path in the rootfs"
++            return 1
++        fi
++    done
++
++    # add user and group
++    cat <<EOF >> $rootfs/etc/passwd
++sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
++EOF
++
++    cat <<EOF >> $rootfs/etc/group
++sshd:x:74:
++EOF
++
++    # generate container keys
++    ssh-keygen -t rsa -N "" -f $rootfs/etc/ssh/ssh_host_rsa_key >/dev/null 2>&1
++    ssh-keygen -t dsa -N "" -f $rootfs/etc/ssh/ssh_host_dsa_key >/dev/null 2>&1
++
++    # by default setup root password with no password
++    cat <<EOF > $rootfs/etc/ssh/sshd_config
++Port 22
++Protocol 2
++HostKey /etc/ssh/ssh_host_rsa_key
++HostKey /etc/ssh/ssh_host_dsa_key
++UsePrivilegeSeparation yes
++KeyRegenerationInterval 3600
++ServerKeyBits 768
++SyslogFacility AUTH
++LogLevel INFO
++LoginGraceTime 120
++PermitRootLogin yes
++StrictModes yes
++RSAAuthentication yes
++PubkeyAuthentication yes
++IgnoreRhosts yes
++RhostsRSAAuthentication no
++HostbasedAuthentication no
++PermitEmptyPasswords yes
++ChallengeResponseAuthentication no
++EOF
++
++    echo "'OpenSSH' utility installed"
++
++    return 0
++}
++
+ configure_busybox()
+ {
+     rootfs=$1
+@@ -230,34 +341,6 @@ EOF
+     lxc-unshare -s MOUNT -- /bin/sh < $CHPASSWD_FILE
+     rm $CHPASSWD_FILE
+ 
+-    # add ssh functionality if dropbear package available on host
+-    which dropbear >/dev/null 2>&1
+-    if [ $? -eq 0 ]; then
+-        # copy dropbear binary
+-        cp $(which dropbear) $rootfs/usr/sbin
+-        if [ $? -ne 0 ]; then
+-            echo "Failed to copy dropbear in the rootfs"
+-            return 1
+-        fi
+-
+-        # make symlinks to various ssh utilities
+-        utils="\
+-            $rootfs/usr/bin/dbclient \
+-            $rootfs/usr/bin/scp \
+-            $rootfs/usr/bin/ssh \
+-            $rootfs/usr/sbin/dropbearkey \
+-            $rootfs/usr/sbin/dropbearconvert \
+-        "
+-        echo $utils | xargs -n1 ln -s /usr/sbin/dropbear
+-
+-        # add necessary config files
+-        mkdir $rootfs/etc/dropbear
+-        dropbearkey -t rsa -f $rootfs/etc/dropbear/dropbear_rsa_host_key > /dev/null 2>&1
+-        dropbearkey -t dss -f $rootfs/etc/dropbear/dropbear_dss_host_key > /dev/null 2>&1
+-
+-        echo "'dropbear' ssh utility installed"
+-    fi
+-
+     return 0
+ }
+ 
+@@ -315,12 +398,12 @@ remap_userns()
+ usage()
+ {
+     cat <<EOF
+-$1 -h|--help -p|--path=<path>
++$1 -h|--help -p|--path=<path> -s|--ssh={dropbear,openssh}
+ EOF
+     return 0
+ }
+ 
+-options=$(getopt -o hp:n: -l help,rootfs:,path:,name:,mapped-uid:,mapped-gid: -- "$@")
++options=$(getopt -o hp:n:s: -l help,rootfs:,path:,name:,mapped-uid:,mapped-gid:,ssh: -- "$@")
+ if [ $? -ne 0 ]; then
+     usage $(basename $0)
+     exit 1
+@@ -336,6 +419,7 @@ do
+         -n|--name)      name=$2; shift 2;;
+         --mapped-uid)   LXC_MAPPED_UID=$2; shift 2;;
+         --mapped-gid)   LXC_MAPPED_GID=$2; shift 2;;
++        -s|--ssh)       SSH=$2; shift 2;;
+         --)             shift 1; break ;;
+         *)              break ;;
+     esac
+@@ -384,3 +468,28 @@ if [ $? -ne 0 ]; then
+     echo "failed to remap files to user"
+     exit 1
+ fi
++
++if [ -n "$SSH" ]; then
++    case "$SSH" in
++        "dropbear")
++            install_dropbear
++            if [ $? -ne 0 ]; then
++                echo "Unable to install 'dropbear' ssh utility"
++                exit 1
++            fi ;;
++        "openssh")
++            install_openssh
++            if [ $? -ne 0 ]; then
++                echo "Unable to install 'OpenSSH' utility"
++                exit 1
++            fi ;;
++        *)
++            echo "$SSH: unrecognized ssh utility"
++            exit 1
++    esac
++else
++    which dropbear >/dev/null 2>&1
++    if [ $? -eq 0 ]; then
++        install_dropbear
++    fi
++fi
+-- 
+2.1.4
+
diff --git a/recipes-containers/lxc/files/make-some-OpenSSH-tools-optional.patch b/recipes-containers/lxc/files/make-some-OpenSSH-tools-optional.patch
new file mode 100644
index 00000000..2d287885
--- /dev/null
+++ b/recipes-containers/lxc/files/make-some-OpenSSH-tools-optional.patch
@@ -0,0 +1,49 @@
+From 34be0d3cd8c4eaca9929470bc8bce5e74975bccf Mon Sep 17 00:00:00 2001
+From: Bogdan Purcareata <bogdan.purcareata@freescale.com>
+Date: Thu, 23 Apr 2015 08:33:00 +0000
+Subject: [PATCH] lxc-busybox: make some OpenSSH tools optional
+
+Currently, when installing OpenSSH in a Busybox container, the template searches
+for all the OpenSSH client binaries available in the Debian distro package. The
+included tools might differ from distro to distro, so make part of the tools
+optional. The mandatory tools, without which installing OpenSSH fails, are
+"sshd" for the server and "ssh" and "scp" for the client.
+
+Upstream-Status: Submitted
+[https://lists.linuxcontainers.org/pipermail/lxc-devel/2015-April/011696.html]
+
+Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
+---
+ templates/lxc-busybox.in | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
+index 95961a3..17a3006 100644
+--- a/templates/lxc-busybox.in
++++ b/templates/lxc-busybox.in
+@@ -197,6 +197,8 @@ install_openssh()
+     client_utils="\
+         ssh \
+         scp \
++        "
++    client_optional_utils="\
+         sftp \
+         ssh-add \
+         ssh-agent \
+@@ -230,6 +232,13 @@ $rootfs/var/run/sshd \
+         fi
+     done
+ 
++    for bin in $client_optional_utils; do
++        tool_path=`which $bin`
++        if [ $? -eq 0 ]; then
++            cp $tool_path $rootfs/$tool_path
++        fi
++    done
++
+     # add user and group
+     cat <<EOF >> $rootfs/etc/passwd
+ sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
+-- 
+2.1.4
+
diff --git a/recipes-containers/lxc/lxc_1.0.7.bb b/recipes-containers/lxc/lxc_1.0.7.bb
index 0da1e37f..f79ba762 100644
--- a/recipes-containers/lxc/lxc_1.0.7.bb
+++ b/recipes-containers/lxc/lxc_1.0.7.bb
@@ -32,6 +32,8 @@ SRC_URI = "http://linuxcontainers.org/downloads/${BPN}-${PV}.tar.gz \
         file://lxc-busybox-use-lxc.rebootsignal-SIGTERM.patch \
         file://ppc-add-seccomp-support-for-lxc.patch \
         file://lxc-fix-B-S.patch \
+        file://lxc-busybox-add-OpenSSH-support.patch \
+        file://make-some-OpenSSH-tools-optional.patch \
         "
 
 SRC_URI[md5sum] = "b48f468a9bef0e4e140dd723f0a65ad0"